How to leverage automotive software development standards to mitigate risk

This article discusses some of the issues contributing to automotive software complexity, as well as the risks associated with automotive software development. We’ll also discuss how implementing known development best practices, such as ISO 26262, helps organizations mitigate those risks.

When average non-engineer consumers think of electronic systems in automobiles, they likely think of integrated GPS, infotainment systems, and probably some vague notion that there is a computer somewhere in the car controlling some of the safety features. Of course, the reality is that modern cars are significantly more complex with software playing an increasingly larger role in all facets of functionality, including many safety-critical functions. In fact, cars have been leveraging electronic systems for critical functionality for decades, and market changes, such as the push toward an Internet of Things, have nudged automakers towards embedding a greater number of complex computer systems that run the gamut of criticality.

The business structures and supply chains associated with system development further adds to the complexity. It’s rare, if it happens at all, that a manufacturer engineers and builds every component and subsystem in their cars from the ground up, leading to potential integration issues. A transmission is taken from this model, a good braking system from that one. While they may have worked well in their previous environment, in a totally new complex system they may well have unintended and unexpected results. As a result, automotive software is often a complex hodgepodge of systems that may or may not have been sufficiently tested. Implementing components in an ad-hoc manner without proper testing, especially in safety-critical applications, can be extremely costly.

The upside, though, is that there are known practices for helping automakers mitigate the risk of failure by building software quality into their development processes. According to some estimates, a standard mid-range car can have well over a hundred electronic control units (ECU) processing millions of lines of code - and this number is increasing. It’s not uncommon for a manufacturer to have several models of cars with over one hundred million lines of code. There is a perception that the more expensive the car, the more software is embedded - and that most of the software is dedicated to high-end infotainment components. While it’s true that these systems become increasing complex as you move up the model line, even introductory lines of cars use software to control steering, brake systems, electrical power distribution, and so on. And even seemingly minor shifts in features, such as Bluetooth, climate control, cruise control, etc, lead to exponential growth of code.

We can assume that more code translates to more complexity - and therefore risk, but the impact may not necessarily be significant. A larger contributor to business risk associated with automotive software is the integration of code developed from a variety of sources across multiple tiers. Most components, including ECU-based components, are subcontracted to second-tier providers who subcontract to third-tier providers and so on. Each preceding tier has specific requirements associated with the component they’re developing. Organizations often (but not always) have practices in place for analyzing incoming code to ensure that the components function as expected.

But this assumes that every component along the supply chain is a new development. In reality, downstream tiers are branching off code written for a specific make, model, and year. The mutation and reuse of code takes place throughout the supply chain, which leads to a testing problem. How does the manufacturer implement end-to-end testing in such a chaotic ecosystem of software development? When the ECU in the steering wheel was originally developed for one vehicle and the ECU in the dashboard was developed for another vehicle, and neither ECU was designed for the vehicle they are currently embedded in, what’s the impact? How can you ensure that the complete system functions as expected? It is entirely possible for both systems to pass testing as functional but be unable to communicate properly in all situations. What is the risk associated with this gap?

When organizations attempt to measure the cost of software development, they tend to look at general metrics: development time for the engineers; testing time for QA; building materials in the form of acquiring tool licenses, compilers, and other infrastructure components. These are important metrics, but often overlooked are the costs of failure. If the software in the braking system fails, what will it cost the business in terms of rework, recalls, audits, litigation, and loss of stock value? What if there is a loss of life? We argue that the cost of quality is the cost of developing and testing the software, including all the normal metrics we identified plus the very tangible costs associated with a failure in the field.

Figure 1. The amount of software defects has doubled in the last years, and NHTSA estimates that recalls and fixes cost automakers $3 billion per year.

Defects cost automakers a lot of money. The NHTSA estimates that recalls and fixes across the industry cost automakers $3 billion annually. When it comes to the cost of software-related issues, a 2005 estimate from IEEE put the cost to manufacturers at $350 per car. When you consider the low profit margins across a line of vehicles, it’s conceivable that a serious enough software defect can severely hurt the business. The bottom line is important, but even more important is that people can become seriously injured or even die as a result of a software defect. And it doesn’t matter how far down the supply chain the defect may originate, defects and all their associated consequences become the responsibility of the automaker. As such, any cost analysis around software development needs to take the potential costs of failure into consideration.

Figure 2. In modern cars, numerous complex computer systems are installed, with well over a hundred ECUs processing millions of lines of code.

We’ve argued that the complexity of the tiered supply chain for automotive software contributes to the overall risk associated with safety-critical systems. We’ve also reiterated the potential costs to automotive businesses. But there’s another dimension to this issue that reside in the cultural difference between engineering and software development. Software development is almost never engineering. That is, certain concepts from engineering principles, such as repeatability, well-exercised best practices, and reliance on building standards have yet to become firmly established in software development. Additionally, training for software developers can be inconsistent - even non-existent - and organizations would have to go through great lengths to verify that their developers possess adequate knowledge to build safety-critical software.

This is in contrast to engineering in which the attitudes, mindsets, and history of the discipline enforce a process that is less prone to defects when compared to software development. That is not to say that engineers know what they’re doing and software developers don’t. Rather, it’s to say that automotive engineering as a field is twice as mature as software development, and that the intangible, temporal nature of software perpetuates a cavalier attitude in which if it works, then it’s done.

The emphasis in software development is around faster delivery and functional requirements - how quickly can we have this functionality? There is little incentive from management to implement sound engineering practices into the software development lifecycle. Achieving functional safety in software requires operationalizing certain engineering principles: functional safety must be proactive, processes must be controlled, measured, and repeatable, defects should be prevented through the implementation of standards, testing must be effective, deterministic, and should be done for complex memory problems.

The good news is that the attitudes around software development have been evolving. ISO 26262, MISRA, and other standards seek to normalize software development for automotive applications by providing a foundation for implementing engineering concepts in software development processes. Some organizations view compliance with ISO 26262 and other standards as an overhead-boosting burden without any direct value, but the truth is that the cost of failure associated with software defects is much, much greater than the cost of ensuring quality. As in electrical standards that specify a specific gauge of wire to carry a known voltage, coding standards can provide the guidelines that help avoid disaster.

Related

Devices which are connected to the Internet must be inherently secure from time of birth. A fundamental first step is to incorporate a Secure Element into the IoT Device design. These Secure Elements ...

Cloud connectivity is a subject that often involves more questions than answers. Do I use public or private cloud services? What public cloud should I use? How do I set up a private cloud? How do I ac...

The IoT brings increasing intelligence to sensors. While the computing footprint for this is limited, the use of such integrated intelligence must be protected by licensing. With Sentinel Fit, Gemalto...

This article looks at how selecting the most appropriate distributions and pre-configured embedded systems have become critical success factors in speeding up new product development and time to marke...

When upgrading your hardware platform to a newer and more powerful CPU with more, faster cores, you expect the application to run faster. In many cases, however, the application does not run faster an...

This White Paper discusses the challenges and advantages of the digital building and how a major industry initiative is helping with the convergence of disparate control systems to enable the concept....

The synergistic development aspect of electronic design was very apparent these past weeks at the APEC and Embedded World shows, as engineers from around the globe came together in San Antonio, Texas,...

In this video Tektronix explains the features in their latest 5 Series MSO Mixed Signal Oscilloscope. Features include an innovative pinch-swipe-zoom touchscreen user interface, a large high-definitio...

In this video Eric from AVX explains their supercapacitor demonstrator box at APEC 2018 in San Antonio, Texas. The box shows how a 5V 2.5-farad supercapacitor can quickly charge up using harvested ene...

In this video On Semiconductor explains their latest wireless sensor for hazardous environments at APEC in San Antonio, Texas. Intended for applications like high-voltage power cabinets and other plac...

In this video Infineon demonstrates new gate drivers using their LS-SOI technology at APEC 2018. In the demo Victorus, an Infineon application engineer, shows in real time how much better thermal the ...

In this video STMicroelectronics goes over their latest wireless-enabled STM32WB microcontroller for the IoT and intelligent devices in several live connectivity demonstrations at Embedded World 2018....

In this video Infineon goes over their latest wireless charging solutions at the Embedded World show in Nuremberg, Germany. The spokesperson explains the difference between their Qi-compatible solutio...

In this video Mark Hermeling of Grammatech talks to Alix Paultre after the Embedded World show in Nuremberg about the importance of software verification for security and safety in electronic design. ...

In this video Lattice Semiconductor walks us through their booth demonstrations at Embedded World 2018. The live demonstrations include an operating IoT remote vehicle, a low-power network used for vi...

In this video Scott from Maxim Integrated describes their latest security solution at Embedded World 2018. In the live demo he shows the DS28E38 DeepCover Secure ECDSA Authenticator, an ECDSA public k...

In this video John Weber of TechNexion talks to Alix Paultre about how the company helps its customers getting products to market faster. By choosing to work with TechNexion, developers can take advan...

In this video Mike Barr, CEO of the Barr Group, talks to Alix Paultre about cybersecurity at the Embedded World conference in Nuremberg, Germany. Too many designers, even in critical spaces like milit...

Latest Webinars, White Papers & more

Devices which are connected to the Internet must be inherently secure from time of birth. A fundamental first step is to incorporate a Secure Element which store important security information in protected way. Secure Elements need to be pre-programmed, or provisioned, in order to be useful.

During this webinar, you’ll learn how to weigh up the differences between private and public clouds and to use the AE-CLOUD1 kit to quickly interact with one of the currently supported public clouds. We will show how to leverage the Renesas Synergy Platform to establish a secure internet connection.

In this webinar, we will introduce a 80/20 development model with ADLINK’s modularized Smart Panel as an embedded building block and go in depth into how to take advantage of the 80/20 development model to cater to specific vertical markets.

This webinar will introduce a groundbreaking low power BLE device from Panasonic Industry, offering years of operation using only a CR2032 Battery for simple, prompt and sound IoT designs. The webinar will show that designing the PAN1760A Series into any IoT device is an easy task.

In this webinar, we feature the design and development of a field oriented control for a permanent magnet synchronous motor using NXP MagniV microcontroller. The workflow will guide you through model simulation using SIL/PIL models.

This white paper introduces the Quicksilver evaluation kit which caters to a diverse array of IoT applications, ranging from home appliances to smart buildings to energy meters. Powered by a Cypress SoC solution, the kit combines IEEE 802.11 a/b/g/n wireless connectivity with an embedded applications processor.

When upgrading your hardware platform to a newer and more powerful CPU with more, faster cores, you expect the application to run faster. In many cases, however this is not the case. In this paper, we examine what causes these performance issues.

In this webinar you will learn about STMicroelectronics' complete software solution for its range of Bluetooth® Low Energy radio transceivers. BlueNRG-Mesh software enables them to form a mesh network.

The smart connectivity of buildings should be central to transformation: but the reality is something else. While the ‘digital building’ has been a multi-heralded concept for some time, implementation is more problematic. This White Paper discusses the challenges and advantages of the digital building and how a major industry initiative is helping with the convergence of disparate control systems to enable the concept.

Do you want scalable, secured memory solutions which allow you to utilize existing flash memory layout to harden system level security without additional hardware? So you should attend this webinar and you will learn more about how SpiStack combines the fast random access and XIP capability of NOR with the density and cost effectiveness of NAND in one small, low-pin-count SPI package.

Due to the high popularity of NFC in the consumer market, demand for NFC applications in automotive has increased. In this webinar you will learn about NFC and its use cases for automotive, NFC Forum's NFC Controller Interface (NCI), NXP's NFC Controller NCx3340 and more...

Flash memories are nowadays a component in many Automotive systems which are safety-critical. Therefore OEMs are starting to demand a new breed of Flash ICs which can support the requirements of functional safety design at the system level better than previous generations of devices.

As an architecture for building complex systems, microservices is gaining significant traction within the development community. The adoption is on the rise, but so are the struggles associated with understanding how to test microservices.

While solder fatigue and wire lift offs have been the main limiting factors for the lifetime of conventional modules, new technologies for assembly and packaging of semiconductors have emerged and new module generations achieve much longer lifetime. This webinar will provide you some guidance for the selection of the most reliable material combination and design of the substrates.

In this webinar you will learn about the advantages and disadvantages of mainboard versus COM modules with customized or modular carriers and what are the pros and cons of an integrated COM system solution vs choosing piece parts from different vendors. We will discuss which solution is in terms of quantity, complexity, project duration and long-term availability.

The world's first cloud for any embedded display via the flatpanel controller offers full connectivity to enable central parameterization and constant monitoring of the operational status of displays. Learn more on how to easily connect displays to the IoT in this white paper.

The data sheet forms the essential basis for the selection of the right resistor. This white paper uses realistic calculation examples to clearly illustrate how a data sheet can be used to choose the appropriate resistor and what information is important.

CodeMeter License Central offers licenses with unit counters and automated processes, which makes pay-per-use models just as simple to handle as permanent or subscription licenses. In this on-demand webinar, we will go through the whole lifecycle from a number of success stories that will get you inspired to the whole set of actions that will get you started.

Today we are entering an era in which machines adapt their behaviour to humans, rather than the other way around. In this webinar you will learn about the latest Human Vision Components and about OKAO, a software which includes ten different sensing technologies related to human recognition.

Silicon carbide (SiC) MOSFETs are making major inroads into solar inverters. But latest-generation SiC MOSFETs have their limitations. This webinar zooms in for a closer look at these drawbacks and puts forward solutions to resolve the issues at hand.

The areas historically served by silicon devices have in recent years been taken over more often by Wide Band Gap Devices. In our virtual conference leading wide band gap companies together with companies from the test & measurement area provide deep insights into designing with GaN and SiC.